Copy Link
Add to Bookmark
Report
CIAC A-01
________________________________________________________________
CIAC
Computer Incident Advisory Capability
Information Bulletin
________________________________________________________________
October 9, 1989
Notice A-1
CIAC (the Computer Incident Advisory Capability) has learned
of a series of attacks on a set of UNIX computers attached to the
Internet. This series of attacks targets anonymous ftp to gain access
to the password file, then uses accounts from that file that use
easily guessed passwords to gain access to the machine. Once access
is gained to the machine, a trojan horse is installed in the Telnet
program (as described in a previous CIAC bulletin) to record further
user accounts and passwords. The TFTP facility has also been utilized
in this sequence of breakins. This bulletin describes the nature of
the threat, and suggests a procedure to protect your computers.
This is a limited distribution information bulletin to warn
your site of a series of hacker/cracker attacks on the Internet. This
bulletin is being sent to you because our records indicate that your
site is connected to the Internet. Please inform CIAC if this is not
true. Also, if you are not the CPPM or CSSM for your site, will you
please promptly forward this bulletin to that person or persons?
There has been a series of breakins into UNIX machines
connected to the Internet. These breakins at first were largely into
systems in North and South Carolina, but they have spread rapidly.
They appear to be the work of a group of hackers with fairly
identifiable patterns of attack. You should be aware of these attack
patterns, and should take measures described below to prevent breakins
at your site.
The attackers are using anonymous ftp (the ability to use ftp
as a guest) to obtain copies of an encrypted password file for a
machine. They then decrypt passwords, and use them to log into an
account on that machine. They become a root user, then install the
trojan horse version of Telnet, about which CIAC alerted you nearly
two months ago. This trojan horse collects passwords of Telnet users,
which the hackers then use to break into other machines. The hackers
are also using .rhost and host.equiv to gain entry into other systems
once they have broken into a new machine. The TFTP facility is also
used to gain access to a machine.
The attackers have not been destroying files or damaging
systems. To avoid being detected and/or monitored, however, they have
many times waited for several weeks or even longer after obtaining
passwords to break in to a system. This threat seems to center around
systems that have not installed the distributed patches to already
known vulnerabilities in the UNIX operating system.
CIAC recommends that you take three courses of action:
1) Look for connections between machines in your network and
host machines that would not normally be connected to your site. If
many of these connections exist, there is a strong possibility that
they may not be legitimate.
Currently many of these unauthorized connections and attacks
have been using:
- universities in North and South Carolina
- universities in Boston
- universities and computer companies in the California
Berkeley/Palo Alto area
Any unusual and unexplained activity from these locations are worth
special attention, as they are likely to be attacks.
2) Look for the Telnet trojan horse, using the command:
strings `which telnet` | grep \@\(\#\) | grep on/off
Any lines that are printed from this command indicate that you have
been affected by the trojan horse. If you discover that you have been
affected by the trojan horse program, please contact CIAC for recovery
procedures.
3) If the host.equiv file contains a "+" unauthorized users
can gain entry into a system. You should therefore inform system
managers that they should remove "+" from any host.equiv files.
Please refer questions to:
CIAC, Thomas Longstaff
Lawrence Livermore National Laboratory
P.O. Box 808
L-540
Livermore, CA 94550
(415) 423-4416 or (FTS) 543-4416
longstaf@frostedflakes.llnl.gov
